Content uploaded by Anh-Duy Tran
Author content
All content in this area was uploaded by Anh-Duy Tran on Nov 24, 2022
Content may be subject to copyright.
Towards an Attention-based Threat Detection
System for IoT Networks
Thanh-Nhan Nguyen1,3⋆, Khanh-Mai Dang1,3⋆, Anh-Duy Tran1,3, and
Kim-Hung Le2,3(
)
1University of Science, Ho Chi Minh City, Vietnam
2University of Information Technology, Ho Chi Minh City, Vietnam
3Vietnam National University, Ho Chi Minh City, Vietnam
{ntnhan18,dkmai18}@apcs.fitus.edu.vn, taduy@fit.hcmus.edu.vn,
hunglk@uit.edu.vn
Abstract. The proliferation of the Internet of Things (IoT) serves de-
mands in our life ranging from smart homes and smart cities to manufac-
turing and many other industries. As a result of the massive deployment
of IoT devices, the risk of cyber-attacks on these devices also increases.
The limitation in computing resources of IoT devices stops people from
directly operating antivirus software on them. Therefore, these devices
are vulnerable to cyber-attacks. In this research, we present our novel
approach that could be applied to construct a lightweight Network In-
trusion Detection System (NIDS) on IoT gateways. We utilize TabNet-
the Google’s recently developed model for tabular data-as our detection
model. The evaluation results on BOT-IoT and UNSW-NB15 datasets
prove the ability of our proposal in intrusion detection tasks with the ac-
curacy of 98,53% and 99,43%. Finally, we experiment with our approach
on the Raspberry Pi 4 to prove the lightweight characteristic to deploy
on IoT gateways.
Keywords: Intrusion Detection System ·IoT devices ·TabNet.
1 Introduction
Ever since the creation of Internet of Things (IoT) devices, they have been
transforming our world drastically. Nowadays, IoT devices appear everywhere
and serve different industries such as smart homes, smart cities, supermarkets,
healthcare, manufacturing, and many others. According to recent research, the
number of global IoT devices grew to 12.2 billion active endpoints in 2021 and
is predicted to reach 27 billion in 2025 as the consequence of supply constraint
ease [11].
However, protecting an IoT network is a challenging problem due to the
limitations in its computational power. This limitation makes deploying security
software on IoT devices infeasible. Different types of attacks have been constantly
⋆These authors equally contributed
2 T.-N. Nguyen and K.-M. Dang et al.
reported throughout the years with the most famous attack being botnet. In
2016, the Mirai botnet was reported as the main culprit that took down the whole
Dyn DNS service which caused many frequently used websites to be inaccessible
[2]. In today’s world, botnet and DDoS attacks are still the most common attacks
on IoT networks.
To protect an IoT network, commonly, an Intrusion Detection System (IDS)
is installed on IoT gateways to monitor network traffic and alert if there are
any suspicious network activities [31]. There are three reasons for this approach.
First, IoT devices are energy-constraint and are limited in computational capa-
bility, so running the IDS directly on these devices affects their functionality.
Second, an IoT gateway connects to all IoT devices in the network and can cap-
ture all inbound and outbound traffic of that network. Third, the IDS should lie
near the IoT network to avoid interference with traffic from other networks.
Therefore, in this work, we tackle the intrusion detection problem for IoT
networks by creating a lightweight Anomaly-based Intrusion Detection System.
Recently, Google has introduced TabNet, a new deep learning model that is
specially designed to work with tabular data. To the best of our knowledge,
there has not existed any scholarly work on applying TabNet in security fields.
The number of work carries out on the dataset dedicated to IoT (such as the
BOT-IoT dataset) is meager.
Concretely, the authors aim to use TabNet to build a (lightweight) IDS for
a network of IoT devices. In contrast to some works that suggest using CNN
models for attack classification, the authors want to use a pure deep learning
approach. Our method can perform multi-class classification to detect the type
of attacks. To assess the capability of our method, we evaluate the performance
of the TabNet model on two datasets: BOT-IoT and UNSW-NB15.
Overall, our main contributions are:
–Apply an attention-based model to detect attacks on security fields. TabNet
uses an attention mechanism to focus on specific sets of attributes at each
step for each instance.
–Evaluate the ability of the TabNet model to detect unknown attacks. Besides
detecting correctly the types of attacks, the authors also test if the model
can detect unknown attacks that it has not seen before. The experiment
shows very promising results for this part.
–Prove the deployment of TabNet on lightweight devices. To show that the
model can actually work on a constrained device so that it can be deployed
in the real world, the authors use a Raspberry Pi 4 to assess TabNet’s per-
formance. Such an experiment consolidates the practicality of our proposed
solution.
The rest of this paper is structured as follows: Section 2 provides some pop-
ular approaches relating to the intrusion detection problem. Section 3 present
the architecture overview of our proposed IDS and the detail of TabNet-our de-
tection model. In section 4, we provide further information on the dataset we
used, the evaluation environment, and metrics. Section 4.4 contains experimental
results and discussion. Finally, we conclude our work in section 5.
Towards an Attention-based Threat Detection System for IoT Networks 3
2 Related Works
2.1 Device Classification
Because of the heterogeneity of IoT devices, knowing what type of devices are
making communications give us more advantages in monitoring the network.
This section discusses some recent approaches for the device classification task.
In 2018, L. Bai et al. proposed a deep learning approach using the LSTM-
CNN architecture for classifying device’s type [4]. The author claimed that this
method was the first to leverage time-series information of network traffic. The
approach works by capturing packets and separating them into different flows,
each one belongs to a specific device in the network using the MAC address
contained in packets’ headers. The main classification model is based on the
LSTM-CNN architecture and it shows very good performance.
In 2019, S. Marchal et al. proposed AuDI, an autonomous system that can
learn and effectively identify the type of IoT devices [21]. To handle the difficulty
of dealing with devices that have sparse communications periods, the authors
suggest modeling the network’s periodic communications. This technique uses
a hybrid architecture that utilizes both an IoT Gateway and a cloud service.
The IoT Gateway is used to generate devices’ fingerprints and send them to a
kNN model hosted on the Cloud. Another takeaway from this work is that the
fingerprint generated from the IoT Gateway can be used to create some policies
to manage the network.
2.2 Machine Learning IDS
Recently, in 2020, M. Eskandari et al. proposed Passban IDS, a deployable IDS
that can run on a Raspberry Pi [8]. Passban IDS is constructed to be a one-
class classifier, meaning it can only distinguish between normal and abnormal
network traffic. The core algorithm in Passban IDS is iForest, a tree-based ma-
chine learning algorithm designed based on normal Random Forest. The system
also provides a web-based user interface for convenient use. From experiments,
Passban IDS shows very good performance on a Raspberry Pi when tested with
4 different attacks.
I. Hafeez et al. proposed IoT-KEEPER, an IDS that uses unsupervised learn-
ing to detect malicious traffic [10]. IoT-KEEPER uses Software Defined Network
to create a virtual network to monitor and filter traffic. After the detection phase,
the system creates network policies to block malicious traffic flow. The authors
also improved the model so that it can detect the exact type of attack. Their
experiment shows very good results for this approach. Furthermore, the authors
prove that IoT-KEEPER can operate on a resource-constrained IoT device.
2.3 Deep Learning IDS
In 2019, X. Zhang et al. proposed an approach that make use of a Convolutional
Neural Network (CNN) model and decision tree algorithms [32]. The authors
4 T.-N. Nguyen and K.-M. Dang et al.
suggest converting directly the tabular data into images using a method called
P-Zigzag. After the conversion, the images are fed into a CNN model called
GoogLeNetNP, an improved model from GoogLeNet. GoogLeNetNP’s purpose
is to classify different categories of attacks. Next, for each category of attacks, a
gcForest model is used for classifying sub-category attacks.
Also in 2019, E. Anthi et al. proposed an approach that uses 3 layers to
perform classification [1]. The first layer is to classify the type of IoT devices
and build a normal profile of those devices. The second layer is to distinguish
between malicious packets and normal packets. The third layer is to classify the
type of an attack based on 4 categories. The authors suggested using Weka to
make the datasets balanced. The authors also tested 9 classifiers to compare
their detection performance.
To tackle the detection problem with a different approach, T.-D. Nguyen
et al. proposed D¨
IoT, a federated self-learning anomaly detection system for
IoT [27]. The core algorithm in D¨
IoT is designed using Gated Recurrent Units
(GRUs), a component that is widely used for series data. Another prominent
feature of D¨
IoT is that it creates a specific model for each type of device. Using
federated learning helps the whole system to reduce bias and enhance privacy
without losing performance. Furthermore, the system works well with unknown
attacks and reports no false alarms when evaluated in a real-world smart home
deployment setting.
Another approach that tackles the anomaly detection problem using a CNN
model is IMIDS proposed by K.-H. Le et al. in 2022 [19]. The authors demon-
strated CNN’s performance using a simple self-designed CNN model in the IDS.
To improve the accuracy, the authors apply a Generative Adversarial Network
(GAN) model to synthesize more samples for minor classes in the dataset. This
helps increase the performance of the IDS since the dataset is highly imbal-
anced [26].
Also in 2022, X.-H. Nguyen et al. proposed Realguard, a lightweight network
intrusion detection system for IoT Gateways [28]. Realguard’s core detection
model is a simple self-designed neural network that contains only 5 hidden layers
and 34315 parameters. To reduce the memory footprint and increase the speed
in the feature extraction phase, the authors proposed a feature extractor based
on the Damped Incremental Statistics algorithm. The whole model is tested on
a Raspberry Pi 4 to show its potential to be deployed on real IoT Gateways.
D.-T. Nguyen et al. proposed MidSiot, a Multistage Intrusion Detection Sys-
tem for Internet of Things [6]. The overall system contains 3 main stages: classify-
ing the type of IoT devices, distinguishing between malicious network traffic and
benign network traffic, and detecting the type of attacks. The authors remove
redundant features using Pearson’s correlation coefficient to increase the sys-
tem’s robustness. Furthermore, to deal with the problem of imbalanced datasets,
the authors use SMOTE to synthesize new data points for minor classes. The
proposed IDS is expected to deploy to IoT gateways using edge deployment
frameworks presented in [7][18][20].
Towards an Attention-based Threat Detection System for IoT Networks 5
Fig. 1. Proposed IDS
3 Proposed IDS
3.1 Architecture Overview
In this section, we discuss our proposed IDS in general. Overall, our proposed
IDS contains three main components:
– Packet Capture block: This block is responsible for capturing raw packets
and storing them in PCAP files. This block uses the TCPDump program to
perform the capturing process.
– Packet Convert block: This block converts the PCAP files received from
the previous block into CSV files. During the conversion, it also extracts
network flows from the packets and generates analysis features for those
flows. This block uses CICFlowMeter [9], a network traffic flow analyzer, to
perform the extraction and features generation.
– Anomaly Detection block: This block is the main component of our
IDS. It is responsible for reading the CSV files, loading up the model, and
performing classification. Since our model is trained offline, this block does
not handle any training process. Our approach does not need to perform any
data preprocessing before the classification takes place. Finally, TabNet is
chosen as our core model for this detection block.
For the Packet Capture block and the Packet Convert block, we use a bash
script [30] to execute the TCPDump program to capture packets and call CI-
CFlowMeter to make conversions accordingly. For that reason, we only explain
in detail the Anomaly Detection block. Figure 1 illustrates our overall system.
3.2 Attack Detection Model
As mentioned in section 3.1, we use TabNet[3], a deep learning model designed
specifically for tabular data, as our core model to perform attack classification.
6 T.-N. Nguyen and K.-M. Dang et al.
TabNet is created to be an end-to-end deep learning model, which means we
can train the model using pairs of input-output samples. The training process
of TabNet uses gradient descent-based methods to update the model’s weights.
The authors also designed TabNet to work without needing any preprocessing
steps for input data.
The structure of TabNet includes one or multiple similar blocks called de-
cision steps. Each decision step may choose a different set of features to make
a prediction, and at the end, all the predictions of each step are combined in a
voting manner. Such an idea is called sequential attention. Before the samples
are fed into decision steps, the model merely applies batch normalization on raw
features without the need for global normalization. Each decision step then re-
ceives the same features ffrom the batch normalization block. The ith decision
step receives the processed information from the (i−1)th step to decide which
features to use and outputs the processed feature representation which is then
aggregated into the overall decision.
Furthermore, the feature selection process is instance-wise, meaning for each
sample the model may focus on a different set of features. Interestingly, TabNet’s
authors claimed that multiple decision steps behave as if it mimics an ensemble
classifier. Figure 2 illustrates the architecture of TabNet’s decision steps.
Fig. 2. TabNet’s architecture [3]
A decision step contains two smaller networks: an attentive transformer and
a feature transformer. Those two transformers are also the core components in
a decision step.
A feature transformer is a neural network in which there are multiple layers
organized into two types of smaller networks. One type is shared across dif-
ferent decision steps, and the other type is decision step-dependent. Figure 3
shows the architecture of a feature transformer. The authors stated in the orig-
Towards an Attention-based Threat Detection System for IoT Networks 7
Fig. 3. Feature transformer’s architecture
inal work that sharing some layers between decision steps helps the model to
become ”parameter-efficient and robust learning with high capacity”. The au-
thors also reasoned that using ”normalization with √0.5 stabilizes the learning
process by ensuring that the variance throughout the network does not change
dramatically.” The output of a feature transformer is transferred to the attentive
transformer of the next decision step and the overall output in a voting manner.
An attentive transformer is responsible for selecting features to make rea-
soning in a step. The structure of an attentive transformer comprises a fully
connected layer, batch normalization, and a Sparsemax normalization. Figure 4
illustrates the architecture of the attentive transformer. The prior scales block
gives the attentive transformer how much each feature has been used in previous
steps. The attentive transformer creates a mask to indicate what features should
be used in this step. The mask also functions as a way to explain the model,
looking at the mask, we will know what features are being used.
4 Evaluation Results
4.1 Evaluation Environment
Regarding machine learning models, we use a dedicated server to conduct our
experiments. Specifically, we use this server to train the TabNet model with
different configurations and evaluate those models. The specification of the server
is as follows:
8 T.-N. Nguyen and K.-M. Dang et al.
Fig. 4. Attentive transformer’s architecture
–Processor: CPU Intel Xeon Gold 5220R
–Memory: RAM 256GB
–Graphic card: GPU Nvidia A100 40GB
–Operating System: Ubuntu 20.04 LTS
Besides training the models, we also use this server to preprocess the datasets.
Since TabNet is a not very large neural network and there is no pretrained model
for TabNet, we train the whole model from the beginning. After the training
process, the models can be loaded and evaluated directly on this server or they
can be transferred to a Raspberry Pi.
For the evaluation of constrained devices, we use a Raspberry Pi 4 with the
following specifications:
–Processor: CPU Broadcom BCM2711
–Memory: RAM 4GB
–Operating system: Ubuntu 22.04 LTS
Even though the Raspberry Pi is very resource-limited, it can still perform
classification at a blazing fast speed.
4.2 Evaluation Metrics
To evaluate our approach, we use the following metrics: Accuracy, Precision,
Recall, and F1-score.
Towards an Attention-based Threat Detection System for IoT Networks 9
Accuracy Accuracy measures correctly classified records over the total number
of samples. Accuracy is good for showing the overall performance of the model.
Accuracy =T N +T P
T N +F P +T P +T N
Precision In the context of our experiments, the precision score is the fraction
of the correctly attacking records over the total number of attacking records
detected by the model.
P recision =T P
T P +F P
Recall The recall score is the fraction of the number of attacks the model could
detect over the total number of attacks in the ground truth labels. The recall
score has the ideal value of 1 when the model can detect all the attacks in the
dataset.
Recall =T P
T P +F N
F1-score F1-score is the harmonic mean of precision and recall, namely, it
is easier to judge a model performance based on F1-score. F1-score has the
maximum score of 1 when both Precision and Recall return 1, which means the
model could correctly detect and classify all attack records in the dataset.
F1score = 2 ×P recision ×Recall
P recision +Recall
4.3 Datasets
To evaluate our work, we use the BOT-IoT dataset and the UNSW-NB15 dataset.
Both datasets are popular and were created by the Cyber Range Lab of UNSW
Canberra. In the following subsections, we provide detailed information about
these two datasets.
BOT-IoT The BOT-IoT dataset [12–17] is created by designing a realistic
network environment combining of normal network traffic and botnet traffic be-
haviors. In our experiment, we use the small version of the BOT-IoT dataset,
which contains 3 million records. As in the original dataset, this small one con-
tains all attack categories and subcategories. The dataset contains 5 classes:
DDoS, DoS, OS and Service Scan, Keylogging, Data exfiltration, and Normal.
From the 5 main categories mentioned, BOT-IoT divides them into 11 smaller
sub-categories. This dataset is highly imbalanced, while the DDoS class contains
1926167 records, the Theft class only contains 75 records.
10 T.-N. Nguyen and K.-M. Dang et al.
UNSW-NB15 UNSW-NB15 dataset [22–25, 29] is a popular dataset in the
field of Intrusion Detection System. The Cyber Range Lab of UNSW Canberra
uses the IXIA PerfectStorm tool to simulate normal and contemporary syn-
thetic attack behaviors. The dataset contains 9 kinds of attacks: Fuzzers, Analy-
sis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms.
UNSW-NB15 dataset is also highly imbalanced. The Normal class contains about
2 million records, while the Worms class only has 174 rows.
4.4 Results and Discussion
In this section, we show and analyze the experimental results of our proposed
approach. As mentioned in section 4.3, the BOT-IoT contains 5 main categories
and 11 more detailed sub-categories inside the 5 main ones. Table 1 presents the
performance when testing on 11 subcategories of the BOT-IoT dataset, 5 main
categories of the BOT-IoT dataset, and 10 classes of the UNSW-NB15 dataset.
Both datasets are augmented using the SMOTE[5] technique.
Table 1. The highest results in different metrics. A high F1-score means high Precision
and Recall, which indicates the ability to correctly classify attacks and a low attack
missing rate.
Dataset Accuracy Precision Recall F1-score
BOT-IoT 0,9853 0,9865 0,9853 0,9857
BOT-IoT (main categories only) 0,9943 0,9943 0,9943 0,9943
UNSW-NB15 0,9795 0,9784 0,9795 0,9767
Table 2 and table 3 presents the scores in different metrics when testing on
11 subcategories and 5 main categories of the BOT-IoT dataset. Our approach
achieves a high F1-score for most of the classes.
Table 2. The precision, recall, and F1-score per class when experimenting on 11 sub-
classes of the BOT-IoT dataset
Category Precision Recall F1-score
DDoS, HTTP 0,3088 0,9747 0,4690
DDoS, TCP 0,9833 0,9747 0,9809
DDoS, UDP 1,0000 0,9991 0,9995
DoS, HTTP 0,5540 0,9527 0,7006
DoS, TCP 0,9646 0,9812 0,9729
DoS, UDP 0,9992 1,0000 0,9996
Normal 1,0000 0,9759 0,9878
Reconnaissance, OS Fingerprint 0,5601 0,7616 0,6455
Reconnaissance, Service Scan 0,9177 0,8457 0,8802
Theft, Data Exfiltration 1,0000 1,0000 1,0000
Theft, Keylogging 0,5185 1,0000 0,6829
Towards an Attention-based Threat Detection System for IoT Networks 11
Table 3. The precision, recall, and F1-score per class when experimenting on 5 main
classes of the BOT-IoT dataset. Our approach has a good performance on detecting
DDoS attacks. The model also classifies correctly benign traffic, hence, the model does
not raise any false alarms.
Category Precision Recall F1-score
DDoS 0,9977 0,9915 0,9946
DoS 0,9908 0,9973 0,9940
Normal 1,0000 0,9873 0,9936
Reconnaissance 0,9857 0,9989 0,9923
Theft 0,8125 0,9286 0,8667
We also compare our results with results from MidSIoT [6] in terms of F1-
score in Table 4. Our approach performs better compared to MidSIoT in the class
Normal and Theft, results in other classes are competitive. However, MidsIoT
did not evaluate the Theft class due to the problem of too few samples.
Table 4. F1-score per class comparision between TabNet and MidsIoT on BOT-IoT
dataset. Our approach performs better comparing to MidSIoT on the class Normal and
Theft, results on other classes are competitive.
Category TabNet MidsIoT
DDoS 0,9946 0,9995
DoS 0,9940 0,9989
Normal 0,9936 0,3636
Reconnaissance 0,9923 0,9999
Theft 0,8667 -
For the UNSW-NB15 dataset, we perform experiments to evaluate our ap-
proach and also compare it with IMIDS [19]. Table 5 shows the precision, recall,
and F1-score of every class in the UNSW-NB15 dataset. Table 6 presents the
comparison between our work with IMIDS. When compared to IMIDS, our ap-
proach has a better performance in terms of F1-score for most of the classes. For
the class DoS and Worms, our approach has lower scores. Nevertheless, in the
remaining classes, our method and IMIDS are competitive.
We also conduct performance assessments using a Raspberry Pi 4 as men-
tioned in section 4.1. Regarding this experiment, we transfer the model into the
Raspberry Pi along with the testing set from the BOT-IoT dataset. This model
is trained on the preprocessed and augmented training set from the BOT-IoT
dataset. The result is very promising with the average time to perform prediction
being approximately 302µs per network flow. Total RAM usage is measured to
be about 667MB including the memory used for loading the whole testing set
and the TabNet model. The testing set consists of 442630 network flows.
Detecting Unknown Attacks Our proposed IDS has a good performance in
detecting unknown attacks. To prove the ability to detect unknown-attack, we
12 T.-N. Nguyen and K.-M. Dang et al.
Table 5. The precision, recall, and F1-score per class when experimenting on 10 classes
of the UNSW-NB15 dataset.
Category Precision Recall F1-score
Normal 1,0000 0,9856 0,9927
Generic 0,9164 0,8436 0,8785
Fuzzers 0,4268 0,8795 0,5747
DoS 0,2739 0,2655 0,2696
Reconnaissance 0,7941 0,7237 0,7573
Exploits 0,8067 0,7015 0,7504
Analysis 0,0960 0,3710 0,1525
Backdoors 0,1163 0,3590 0,1757
Shellcode 0,3671 0,7835 0,5000
Worms 0,1226 0,3824 0,1857
Table 6. F1-score per class comparison between TabNet and IMIDS on UNSW-NB15
dataset. Our approach has a better performance in terms of F1-score for most of the
classes.
Category TabNet IMIDS IMIDS with ctGAN
Normal 0,9956 0,9918 0,9906
Generic 0,9899 0,9861 0,9865
Fuzzers 0,5451 0,5151 0,5173
DoS 0,0695 0,4465 0,4376
Reconnaissance 0,8152 0,7582 0,7011
Exploits 0,7101 0,5555 0,5522
Analysis 0,0290 0,1514 0,1206
Backdoors 0,0839 0,1069 0,0930
Shellcode 0,5587 0,2642 0,2432
Worms 0,0000 0,2014 0,1244
conduct experiments on 2 categories: DoS and DDoS of the BOT-IoT dataset.
With the DoS category, the testing set comprises records from DoS, UDP subcat-
egories. With the experiment on the DDoS category, the testing set composes of
DDos, UDP records. Both of the testing sets contain 20% of normal data. The
training sets of two experiments contain records from the remaining subcate-
gories in the Dos and DDoS categories respectively. Table 7 shows the accuracy
for this experiment.
Table 7. Results when testing with unknown attacks
Subcategory Accuracy
DoS, UDP 99,93%
DDoS, UDP 99,99%
Towards an Attention-based Threat Detection System for IoT Networks 13
5 Conclusions
We have proposed a new approach for building an IDS system for IoT Gateways
that uses an attention-based model as the core classification model. From our
literature review, TabNet has not been used in the intrusion detection field
before. Therefore, applying such an advanced model to the intrusion detection
field is an innovative decision. The approach achieves the accuracy of 98,53%
and 99,43% when classifying 11 subcategories and 5 main categories in the
BOT-IoT dataset, respectively. Regarding the UNSW-NB15 dataset, the model’s
accuracy is 97,47%. Besides, we also compare our approach with existing works
using the F1-score metric. When comparing TabNet with existing approaches
such as MidSIoT[6] and IMIDS [19], the results are highly competitive. For
some attack categories, our results are even better. Moreover, our approach
achieves 99,93% accuracy when testing with unknown attacks. Finally,
we test our approach on a Raspberry Pi 4 to prove the lightweight
characteristic to deploy on IoT gateways. In conclusion, our method achieves
good performance in the task of intrusion detection and is suitable for resource-
constrained devices.
Acknowledgements
This research is supported by research funding from Faculty of Information Tech-
nology, University of Science, Vietnam National University - Ho Chi Minh City.
References
1. Anthi, E., Williams, L., S lowi´nska, M., Theodorakopoulos, G., Burnap, P.: A su-
pervised intrusion detection system for smart home iot devices. IEEE Internet of
Things Journal 6(5), 9042–9053 (2019)
2. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J.,
Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever,
C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K.,
Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Sympo-
sium (USENIX Security 17). pp. 1093–1110. USENIX Association, Vancouver,
BC (Aug 2017), https://www.usenix.org/conference/usenixsecurity17/technical-
sessions/presentation/antonakakis
3. Arik, S., Pfister, T.: Tabnet: Attentive interpretable tabular learning (2021)
4. Bai, L., Yao, L., Kanhere, S.S., Wang, X., Yang, Z.: Automatic device classification
from network traffic streams of internet of things. In: 2018 IEEE 43rd conference
on local computer networks (LCN). pp. 1–9. IEEE (2018)
5. Bowyer, K.W., Chawla, N.V., Hall, L.O., Kegelmeyer, W.P.: SMOTE:
synthetic minority over-sampling technique. CoRR abs/1106.1813 (2011),
http://arxiv.org/abs/1106.1813
6. Dat-Thinh, N., Xuan-Ninh, H., Kim-Hung, L., Nassar, H.: Midsiot: A
multistage intrusion detection system for internet of things. Wirel. Com-
mun. Mob. Comput. 2022 (jan 2022). https://doi.org/10.1155/2022/9173291,
https://doi.org/10.1155/2022/9173291
14 T.-N. Nguyen and K.-M. Dang et al.
7. Do, X.T., Le, K.H.: Towards Remote Deployment for Intrusion De-
tection System to IoT Edge Devices, pp. 301–316. Springer Interna-
tional Publishing, Cham (2022). https://doi.org/10.1007/978-3-030-90119-6 24,
https://doi.org/10.1007/978-3-030-90119-6 24
8. Eskandari, M., Janjua, Z.H., Vecchio, M., Antonelli, F.: Passban ids:
An intelligent anomaly-based intrusion detection system for iot edge
devices. IEEE Internet of Things Journal 7(8), 6882–6897 (2020).
https://doi.org/10.1109/JIOT.2020.2970501
9. Habibi Lashkari., A., Draper Gil., G., Mamun., M.S.I., Ghorbani., A.A.: Cicflowme-
ter, https://www.unb.ca/cic/research/applications.html
10. Hafeez, I., Antikainen, M., Ding, A.Y., Tarkoma, S.: Iot-keeper: Detecting malicious
iot network activity using online traffic analysis at the edge. IEEE Transactions
on Network and Service Management 17(1), 45–59 (2020)
11. Hasan, M.: State of iot 2022: Number of connected iot devices growing 18% to 14.4
billion globally (2022), https://iot-analytics.com/number-connected-iot-devices
12. Koroniotis, N.: Designing an effective network forensic framework for the investi-
gation of botnets in the internet of things (2020)
13. Koroniotis, N., Moustafa, N.: Enhancing network forensics with particle swarm
and deep learning: The particle deep framework. CoRR abs/2005.00722 (2020),
https://arxiv.org/abs/2005.00722
14. Koroniotis, N., Moustafa, N., Schiliro, F., Gauravaram, P., Janicke, H.: A holistic
review of cybersecurity and reliability perspectives in smart airports. IEEE Access
8, 209802–209834 (2020). https://doi.org/10.1109/ACCESS.2020.3036728
15. Koroniotis, N., Moustafa, N., Sitnikova, E.: A new network forensic frame-
work based on deep learning for internet of things networks: A par-
ticle deep framework. Future Generation Computer Systems 110, 91–
106 (2020). https://doi.org/https://doi.org/10.1016/j.future.2020.03.042,
https://www.sciencedirect.com/science/article/pii/S0167739X19325105
16. Koroniotis, N., Moustafa, N., Sitnikova, E., Slay, J.: Towards developing network
forensic mechanism for botnet activities in the iot based on machine learning tech-
niques. In: Hu, J., Khalil, I., Tari, Z., Wen, S. (eds.) Mobile Networks and Man-
agement. pp. 30–44. Springer International Publishing, Cham (2018)
17. Koroniotis, N., Moustafa, N., Sitnikova, E., Turnbull, B.: Towards the develop-
ment of realistic botnet dataset in the internet of things for network forensic
analytics: Bot-iot dataset (2018). https://doi.org/10.48550/ARXIV.1811.00701,
https://arxiv.org/abs/1811.00701
18. Le, K.H., Le-Minh, K.H., Thai, H.T.: Brainyedge: An ai-
enabled framework for iot edge computing. ICT Express
(2021). https://doi.org/https://doi.org/10.1016/j.icte.2021.12.007,
https://www.sciencedirect.com/science/article/pii/S2405959521001727
19. Le, K.H., Nguyen, M.H., Tran, T.D., Tran, N.D.: Imids: An intelligent intru-
sion detection system against cyber threats in iot. Electronics 11(4) (2022).
https://doi.org/10.3390/electronics11040524, https://www.mdpi.com/2079-
9292/11/4/524
20. Le Minh, K.H., Le, K.H., Le-Trung, Q.: Dlase: A light-weight framework supporting
deep learning for edge devices. In: 2020 4th International Conference on Recent
Advances in Signal Processing, Telecommunications & Computing (SigTelCom).
pp. 103–108 (2020). https://doi.org/10.1109/SigTelCom49868.2020.9199058
21. Marchal, S., Miettinen, M., Nguyen, T.D., Sadeghi, A.R., Asokan, N.: Audi: To-
ward autonomous iot device-type identification using periodic communication.
Towards an Attention-based Threat Detection System for IoT Networks 15
IEEE Journal on Selected Areas in Communications 37(6), 1402–1412 (2019).
https://doi.org/10.1109/JSAC.2019.2904364
22. Moustafa, N., Creech, G., Slay, J.: Big Data Analytics for Intrusion Detection Sys-
tem: Statistical Decision-Making Using Finite Dirichlet Mixture Models, pp. 127–
156. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-
3-319-59439-2 5, https://doi.org/10.1007/978-3-319-59439-2 5
23. Moustafa, N., Slay, J.: Unsw-nb15: a comprehensive data set for network intru-
sion detection systems (unsw-nb15 network data set). In: 2015 Military Com-
munications and Information Systems Conference (MilCIS). pp. 1–6 (2015).
https://doi.org/10.1109/MilCIS.2015.7348942
24. Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: Sta-
tistical analysis of the unsw-nb15 data set and the comparison with the kdd99 data
set. Information Security Journal: A Global Perspective 25(1-3), 18–31 (2016)
25. Moustafa, N., Slay, J., Creech, G.: Novel geometric area analysis tech-
nique for anomaly detection using trapezoidal area estimation on large-
scale networks. IEEE Transactions on Big Data 5(4), 481–494 (2019).
https://doi.org/10.1109/TBDATA.2017.2715166
26. Nguyen, P.C., Nguyen, Q.T., Le, K.H.: An ensemble feature selection algorithm
for machine learning based intrusion detection system. In: 2021 8th NAFOS-
TED Conference on Information and Computer Science (NICS). pp. 50–54 (2021).
https://doi.org/10.1109/NICS54270.2021.9701577
27. Nguyen, T.D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., Sadeghi,
A.R.: D¨
Iot: A federated self-learning anomaly detection system for iot (2018).
https://doi.org/10.48550/ARXIV.1804.07474, https://arxiv.org/abs/1804.07474
28. Nguyen, X.H., Nguyen, X.D., Huynh, H.H., Le, K.H.: Realguard: A lightweight
network intrusion detection system for iot gateways. Sensors 22(2) (2022).
https://doi.org/10.3390/s22020432, https://www.mdpi.com/1424-8220/22/2/432
29. Sarhan, M., Layeghy, S., Moustafa, N., Portmann, M.: Netflow datasets for machine
learning-based network intrusion detection systems. In: Deze, Z., Huang, H., Hou,
R., Rho, S., Chilamkurti, N. (eds.) Big Data Technologies and Applications. pp.
117–135. Springer International Publishing, Cham (2021)
30. Tiwatthanont, P.: Tcpdump and cicflowmeter,
https://github.com/iPAS/TCPDUMP and CICFlowMeter
31. Tran, B.S., Ho, T.H., Do, T.X., Le, K.H.: Empirical Performance Evaluation
of Machine Learning based DDoS Attack Detections, pp. 283–299. Springer Inter-
national Publishing, Cham (2022). https://doi.org/10.1007/978-3-030-90119-6 23,
https://doi.org/10.1007/978-3-030-90119-6 23
32. Zhang, X., Chen, J., Zhou, Y., Han, L., Lin, J.: A multiple-layer representation
learning model for network-based attack detection. IEEE Access 7, 91992–92008
(2019). https://doi.org/10.1109/ACCESS.2019.2927465